Bug 1134560 (CVE-2015-0804)

Type confusion in HTMLSourceElement::BindToTree

RESOLVED FIXED

Status

()

defect
RESOLVED FIXED
5 years ago
3 years ago

People

(Reporter: nils, Assigned: longsonr)

Tracking

({sec-critical})

unspecified
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox36 wontfix, firefox37+ fixed, firefox38+ fixed, firefox39+ fixed, firefox-esr31 unaffected, b2g-v1.4 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 disabled, b2g-v2.1S disabled, b2g-v2.2 disabled, b2g-master fixed)

Details

(Whiteboard: [adv-main37+])

Attachments

(2 attachments)

402 bytes, text/html
Details
14.48 KB, text/plain
Details
Posted file testcase
When binding a <source> element to a tree the functions checks for any siblings of the type <img>. It fails to validate the namespace and only checks for the tag name:

  if (aParent && aParent->IsNodeOfType(nsINode::eMEDIA)) {
    HTMLMediaElement* media = static_cast<HTMLMediaElement*>(aParent);
    media->NotifyAddedSource();
  } else if (aParent && aParent->Tag() == nsGkAtoms::picture) {
    // Find any img siblings after this <source> and notify them
    nsCOMPtr<nsINode> sibling = AsContent();
    while ( (sibling = sibling->GetNextSibling()) ) {
      if (sibling->Tag() == nsGkAtoms::img) {
        HTMLImageElement *img = static_cast<HTMLImageElement*>(sibling.get());
        img->PictureSourceAdded(AsContent());
      }
    }
  }

  This can result in a type confusion. See attached testcase which demonstrates the issue. ASan detects this issue as a use-after-free (output attached). This vulnerability can also be triggered on the stable release version of Firefox without <picture> being enabled as the check in the code only validates the tag name. The testcase on crashes on Windows accessing on mapped memory during garbage collection.
Posted file asan.txt
Blocks: 1134280
Assignee: nobody → longsonr
patch in bug 1134561 fixes this too.
Depends on: CVE-2015-0803
Flags: sec-bounty?
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Flags: sec-bounty? → sec-bounty+
Whiteboard: [adv-main37+]
Alias: CVE-2015-0804
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.